The IT Administrator's view of Secunia is via the "Secunia CSI" Console. There are two subcomponents available.
- Deploying Secunia CSI Agents (Scan systems for software vulnerabilities)
- Deploying Secunia PSI Agents (Scan systems for software vulnerabilities, provide some automatic patching and give reporting to end user).
- UAB has a site license (currently through Fall 2013) for this software though there are license counts associated with the software and administrator accounts.
- Secunia PSI can only have 1 linkID per reporting subaccount!
- Secunia PSI can be configured to report to a CSI instance or be standalone. Personally owned devices should generally use the non-reporting PSI.
UAB IT's initial deployment does not include pushing patches via WSUS. How to accomplish this on top of our existing WSUS processes and coming Forefront-based processes is being examined.
2. PSI Usage
If you are only worried about one or two systems (like a workstation), use the end user install of secunia PSI.
3. CSI Usage
Full documentation is available at http://secunia.com/vulnerability_scanning/corporate
- Establishing Subaccounts. Each subaccount is a unique set of reporting views and licensing counts. Accounts can either be subordinate or they can be a "shadow" of an existing account.
- Reporting (AdHOc or Scheduled Email); Several are available including static URLs that you can include in existing webpages as a dashboard for system status.
- Integration with Secunia PSI;
- Patch deployment Integration with WSUS or SCCM; This requires your own WSUS infrastructure. UAB IT is currently examining how to offer third party patches beyond Microsoft.
3.1 Getting Started with CSI
- Contact AskIT@uab.edu and request an account. Please indicate an approximate number of systems and other administrators you will need.
- You will receive an email with your account username and password from Secunia email@example.com.
- Download and install the CSI Management console from http://secunia.com/vulnerability_scanning/corporate
- Login to the CSI Console with your assigned username and password. You can change your password at anytime.
3.2 Downloading CSI Agent
Please note that a csia.exe download is bound to an account. If you end up with multiple accounts, please make sure to keep your csia.exe unique.
- Go to Scan > Scheduled Scanning > Download Agent; There is also a manual available on this screen.
- Choose an installation methodology. At the end of this document is an example script that will run csia.exe using the
-NAME of the hostname as the "group" .
3.3 Downloading a Linked PSI Agent
PSI agents are nice for situations where end users take some responsibility for the software they install and keep up to date. Please refer to end-user documentation for dealing with some of the caveats associated with PSI, especially with Java.
- Go to Scan > PSI Integration > Download Custom PSI
- Create a unique LinkID for your area. This cannot be changed.
- Save the custom installer as PSISetup!
.exe; The name of the installer should not be changed.
3.4 Creating a shadow account
This is an account with the same reporting scope as an existing account.
- Navigate to User Management > Shadow Accounts
- Click New Shadow Account
3.5 Creating a subaccount
This is an account with a new reporting scope. This will not roll up into your main set of reports. This is useful for delegated responsibility situations such as labs. If you want someone else to have the same rights as you, create a shadow account!
- Navigate to User Management > Accounts
- Click New Account
4. Secunia CSI Login Scripts
This script is suitable for being used as a login script or as a scheduled task. Please share any suggested changes to this script.
' NAME: runsecunia.vbs
' AUTHOR: Chris Green firstname.lastname@example.org
' AUTHOR: Aaron Blum email@example.com
' DATE : 2/2/2011
' DATE : 5/1/2012 (updated)
' Runs the Secunia csia agent (different visibility scopes per user) and
' sets the site to the active OU|
' 5/1/2012 - Updated Script to work with Secunia 5.0 Agent
' 2/2/2011 - Made csia execute in background.
' This default configuration assumes that the csia.exe file is
' in the "C:\Secunia\" folder and that logs are to be placed
' in the "C:\Secunia\logs" folder.
' It also configures the agent to check-in every two days
' This can be modify by adjusting the flag after the -i in SecuniaCmd
' Change these values where needed.
' SEC (AKA Chris Green) Login Script
'On Error Resume Next
'' full path to CSI Program
''const CsiaPath = "%ProgramFiles%\Secunia\csia.exe"
const CsiaPath = "C:\Secunia\csia.exe"
'' Output log directory, Log will be username.sec
''const LogPath = "%ProgramFiles%\Secunia\logs\"
const LogPath = "C:\Secunia\logs\"
'' Run in foreground?
const bInteractive = False
Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Overwrite the last instance of the logs
Dim objLogPath, ouGuess, idxDash, secuniaCmd
objLogPath = LogPath & objNetwork.UserName & ".sec"
Set objLog = objFSO.OpenTextFile(objLogPath,2,true)
TimeStamp = Year(now) & "-" & Month(now) & "-" & Day(now) & "-" & Hour(now) & Minute(now)
ouGuess = "ADLogonScript"
idxDash = InStr(1,objNetwork.computername, "-", 1) - 1
If idxDash > 0 Then
ouGuess = Mid(objNetwork.computername, 1, idxDash)
objLog.WriteLine("[*] Secunia " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)
secuniaCmd = CsiaPath & " -i 2D -L -g " & ouGuess & " -v --skipwait -d " & LogPath & TimeStamp & "_csia.log"
objLog.WriteLine("[*] Secunia Executing with " & secuniaCmd)
If bInteractive Then
set oExec = objShell.Exec(secuniaCmd)
' Wait for the scan to complete
Do While Not oExec.StdOut.AtEndofStream
strText = oExec.StdOut.ReadLine()
objLog.WriteLine("[*] Secunia Exited with " & oExec.Status & " on " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)
'' Close the output file, hide csia in the background
objShell.Run "cmd /c " & secuniaCmd & ">>" & objLogPath, vbHide